The instruction mentioned below only applies to Debian and Ubuntu Linux. I am going to document following things:

=> Install lighttpd => Prepare the file system for the jail => Run FastCGI PHP and MySQL from the jail => Add Perl support to the jail => Take care of sendmail => Run multiple domains (virtual hosting) from chrooted jail etc

Please note that information outlined below is for advanced UNIX users or admins only ;).

Now you have all shared libraries in /webroot directory. You can verify this with ls command. There is one more file, which you need to copy manually - /lib/ld-linux.so.2:# cp /lib/ld-linux.so.2 /webroot/lib

Open a web browser and type url http://yourdomain.com/test.php and http://yourdomain.com/db.php.

Congratulations, if you are able to run both db.php and test.php w/o problem. Always refer to /var/log/message (outside /webroot directory) for troubleshooting purpose. If you see error message that read as follows (tail -f /var/log/message) :

To fix this problem, copy all shared libs from /lib and /usr/lib to /chroot (or /lib64 & /usr/lib if you are using 64 bit Linux) directory. But please do NOT copy any executable files from /bin/ /usr/bin or /usr/sbin directory.# cp -avr /lib/* /webroot/lib/ # cp -avr /usr/lib/* /webroot/usr/lib/ Follow these instructions for more information.

Did you install php4-mysql or php5-mysql package? Use apt-get to install php mysql support package. Next copy mysql.so shared object to jail (see above for instruction). Restart lighttpd and test it again with phpinfo()

If your /etc and /webroot/etc are on the same partition, you can also create hardlinks to the files inside the chroot jail. This would be helpful if you ever needed to change the resolv.conf or other files.

0xffffe000 (related to /lib/ld-linux.so.2 file) is not file so you see the error but script has copied other files. You need to copy /lib/ld-linux.so.2 (32 bit linux) to /webroot/lib directory (see above for cp command).

I’m trying to run this tutorial on CentOS. Everything looks ok, except that the spawn-fcgi cannot be created, even if the /tmp folder is chmomded 777. Do I need to apply any patches to lighty? Hope not. If you want me to paste my install steps, let me know.

The funiest part is that you cannot find on Google any other tutorials similar to this one. The CentOS and Lighty forums are totally absent, related to this vital information (setting the chroot).

I have got a question in my mind about accessing my chrooted server trough FTP. I have set up an FTP server (Pure-FTPd) but I can’t cd to the /webroot/home/lighttpd directory because of its permissions. Since it has CHMOD’ed to 0700 only the owner (www-data) can view, write and execute files inside the directory.

Seems like I have two alternatives to overcome this issue; I can configure Pure-FTPd to run as www-data and connect directly with the user www-data. Alternatively, after configuring Pure-FTPd to run as www-data, I may also create a virtual user chroot’ed to /webroot/home/lighttpd as home directory.I can CHMOD /webroot/home/lighttpd to 755, and can access files inside directory via FTP with my unix account. Which one is more secure? Or, is any of these solutions rational at all? :)

I’ve followed this tutorial to the letter multiple times, and I’ve received the same result:

2007-06-01 10:36:50: (mod_fastcgi.c.1042) the fastcgi-backend /usr/bin/php-cgi failed to start: 2007-06-01 10:36:50: (mod_fastcgi.c.1046) child exited with status 9 /usr/bin/php-cgi 2007-06-01 10:36:50: (mod_fastcgi.c.1049) if you try do run PHP as FastCGI backend make sure you use the FastCGI enabled version. You can find out if it is the right one by executing ‘php -v’ and it should display ‘(cgi-fcgi)’ in the output, NOT (cgi) NOR (cli) For more information check http://www.lighttpd.net/documentation/fastcgi.html#preparing-php-as-a-fastcgi-program 2007-06-01 10:36:50: (mod_fastcgi.c.1351) [ERROR]: spawning fcgi failed. 2007-06-01 10:36:50: (server.c.849) Configuration of plugins failed. Going down.

Recently, lighttpd has been running flawlessly on my system. It’s only when I attempt to jail it that I receive these errors.

>> Let me know if you need detailed instructions regarding CentOS. You can give me some guidance, no need to be super detailed. Basically is the same like your tutorial except you use php instead of php and /modules instead /20050606…

I just changed the lighttpd configuration file to point to the actual directory of php-cgi.

I got the PHP error about the fcgi, after a while I used strace to get some answers. The error was mysql.so unable to load the mysql client library. I made a soft link to the mysql client library in the lib directory (inside the webroot jail of course, l2chroot copied it to the /webroot/usr/lib/mysql) and the problem was fixed.

Hi Vivek, first let me say thank you for all your hard work, it has helped me in abundance :).

My problem is I am trying to chroot on CentOS 4.5 and have adapted your tutorial somehwat however when I reach finding mysql.so it can’t be found because I’m using php5 and apparently mysql extension is noy bundled with php anymore. I do have mysql installed however as I installed from source but still there is no mysql.so.

Is it possible to get some advice here and if you have time CentOS tutorial? Many thanks.

I don’t have problem connecting mysql hosted on pnet (private IP on same network but w/o public connectivity). Make sure resolv.conf and binary libs are copied. Also if you have problem run strace from chroot to debug exact problem.

I just have one trouble using chroot on CentOS, each time I stop the service its FAILED for stopping the lighttpd pid, but it stops the spawn-fcgi process correctly, any idea what do I need to upgrade ? Im using the modded init.d/lighttpd

Ok good news , I fixed the start/stop problem, just make sure the pids are in the /var/run directory, not much , and edit the init.d/lighttpd script by renaming the spawn-fcgi.pid occurence to php-cgi.pid because the living process is recognized under “php-cgi” name :)

Thanks for this great tutorial. Works perfectly with Ubuntu + PHP5 + Perl. But I have one question: The lighttpd executable is not called from the jail. Would it be possible for an attacker to exploit lighttpd directly (not PHP or Perl) and gain access to the system?

I used this tutorial with Debian Etch rc3 and PHP5. It works fine until I want to use php fastcgi. After enable FASTCGI with “lighty-enable-mod fastcgi”, I changed /etc/lighttpd/conf-enabled/10-fastcgi.conf:

After restart lighttpd I get an error message: “unix: /webroot/tmp/php.socket could not be found or is not writeable”

The folder /webroot/tmp is chmood 1777 and owned by root:root. What did I do wrong? I performed this howto twice with a fresh debian installation. The folder /webroot is a partition mapped by fstab. Could that be the problem?

Thanks for your fast replay vivek. In this case lighttpd report 4 errors. It could not start/find 4 .pdo files (mysql,mysqli…). Because Iam not at home, I could not write the correct error message. I will try it in the evening again.

I’m getting this: ~# dpkg -L php5-mysql /. /usr /usr/lib /usr/lib/php5 /usr/lib/php5/20060613+lfs /usr/lib/php5/20060613+lfs/mysql.so /usr/lib/php5/20060613+lfs/mysqli.so /usr/lib/php5/20060613+lfs/pdo_mysql.so I guess I can just adapt it with the given names above? Are there other little hitches on a current Debian Etch system? Is it possible to put 'Tomcat' in jail too? Thank you so much for this great website!!

Ahhh…now I see. The step where you have to create the ‘/var/www’ and the ‘/var/run’ within the /webroot is missing in this tutorial. Thanks for the fast reply! However, if I start lighty I get a bunch of errors (spawning fcgi etc.), I’m now very insecure, I guess i leave it alone as I’m not enough experienced to adapt it to Debian Etch 4, MySQL5, PHP5 and Tomcat5 (in the end I make somewhere a mistake and it’s not more secure then before). :-(

For $DEITY’s sake, don’t approve that last one :) Try this one instead.

I had some trouble getting it to work, but here’s some stuff I worked out.

For missing libraries (blahblah.so.whatever) you can do this;

ldd ./ – Which you can find by looking in the PHP error log. I found it especially good for this one;

PHP Startup: Unable to load dynamic library ‘blahblah.so’ – File not found in Unknown on line 0

So do an LDD on that file (ldd ./ (be in the directory where the file is, of course)) and it outputs the libraries that that extension needs to run – scatter those around in the jail versions of /lib, /opt/lib, usr/lib, /usr/local/lib, and those errors stop happening.

For the ones that it didn’t make go away (I’m looking at you, MySQL!), doing;

ldconfig -p | grep (name of broken process**)

will give you a few more to copy across.

The thing that I was wondering about though, is how to go about securing that tmp folder. I don’t like the idea of having a world-executable folder on my server, no matter how jailed it is.

Any ideas?

*Make sure you don’t forget to set that one to a path that’s inside the jail, too, otherwise PH can’t write to it and you’ll never see these handy-dandy helpful messages. ***

then i type in, 127.0.0.1, or 192.168.1.8, firefox goes “Firefox can’t establish a connection to the server at x.x.x.x” my port 80 is forwarded, but when i go to canyouseeme.org, it says port 80 is not in use.

i run ps aux in bash shell, i see nothing that says “lighttpd”

im using php5, mysql 5.1, and lighttpd 1.4.23

wtf is wrong with my setup, just because my software is newer shouldnt change anything right?

the.conf files for lighty on this site, and mine, are identical, in configuration, but mine has a few other settings that are commented out so i just leave them be.

this website sucks, typical linux users who dont give a shit about noobies who need help, this tutorial doesnt work. install latest debian, and use php5 instead of 4, and follow this tutorial, it doesnt work.

If you’re a “noobie who need[s] help,” then you shouldn’t be preparing an externally facing chroot’ed security-critical linux web server installation. Pay someone to do this for you. Security is really, really, really hard. Buck up.

———————————————————————————————————— I used this tutorial with Debian Etch rc3 and PHP5. It works fine until I want to use php fastcgi. After enable FASTCGI with “lighty-enable-mod fastcgi”, I changed /etc/lighttpd/conf-enabled/10-fastcgi.conf:

Hi. I have followed carefully each steps and I received this error when starting lighttpd:

(mod_fastcgi.c.1042) the fastcgi-backend /usr/bin/php-cgi failed to start: (mod_fastcgi.c.1046) child exited with status 9 /usr/bin/php-cgi (mod_fastcgi.c.1049) if you try do run PHP as FastCGI backend make sure you use the FastCGI enabled version. You can find out if it is the right one by executing ‘php -v’ and it should display ‘(cgi-fcgi)’ in the output, NOT (cgi) NOR (cli)

lighttpd has been working fine before I wanted to put it in jail. whenever I comment out the server.chroot line. everything works ok.

i have set correctly /usr/bin/php-cgi correctly to /usr/bin/php5-cgi but still the same error.

Followed the guide to put my lighttpd server into jail. All working fine except DNS resolution not working in chroot jail. Turn out I have to copy both libnss_dns.so.2 and libnss_dns-2.7.so from /lib to /webroot/lib. Great guide.

I followed the instruction and got 400 error also. Then I made the following changes: 1. change the base dir in /etc/lighttpd/lighttpd.conf from /var/www to /home/lighttpd 2. change the cache dir from /webroot/var/tmp/lighttpd/cache/compress/ to /webroot/var/cache/lighttpd/compress/ 3. change the /etc/lightpd/conf-enablede/10-fastcgi.conf, where /usr/bin/php-cgi to /usr/bin/php5-cgi

Then I can open the db.php and test.php, my system is “PHP Version 5.2.6-1+lenny10″.

After these three steps, there are still some error in output of db.php, just see the log file in /webroot/var/log/lighttpd/error.log and check the errors.